xorg-server: fix CVE-2018-14665.

> An incorrect permission check for -modulepath and -logfile options when > starting Xorg. X server allows unprivileged users with the ability to log in > to the system via physical console to escalate their privileges and run > arbitrary code under root privileges. This issue was kindly reported by the user vifino. Thanks for that!
2018-10-26 08:19:57 +02:00 · 2018-10-26 08:19:57 +02:00 · c651c9be6b
commit c651c9be6b
parent e90ac579f8
2 changed files with 52 additions and 1 deletions
--- a/srcpkgs/xorg-server/patches/CVE-2018-14665.patch
+++ b/srcpkgs/xorg-server/patches/CVE-2018-14665.patch
@ -0,0 +1,51 @@
+From 8a59e3b7dbb30532a7c3769c555e00d7c4301170 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 23 Oct 2018 21:29:08 +0200
+Subject: [PATCH] Disable -logfile and -modulepath when running with elevated
+ privileges
+
+Could cause privilege elevation and/or arbitrary files overwrite, when
+the X server is running with elevated privileges (ie when Xorg is
+installed with the setuid bit set and started by a non-root user).
+
+CVE-2018-14665
+
+Issue reported by Narendra Shinde and Red Hat.
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+(cherry picked from commit 50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e)
+---
+ hw/xfree86/common/xf86Init.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git ./hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
+index 3c5cc7097..cabf8716b 100644
+--- ./hw/xfree86/common/xf86Init.c
+++ ./hw/xfree86/common/xf86Init.c
+@@ -1027,14 +1027,18 @@ ddxProcessArgument(int argc, char **argv, int i)
+     /* First the options that are not allowed with elevated privileges */
+     if (!strcmp(argv[i], "-modulepath")) {
+         CHECK_FOR_REQUIRED_ARGUMENT();
+-        xf86CheckPrivs(argv[i], argv[i + 1]);
+        if (xf86PrivsElevated())
+              FatalError("\nInvalid argument -modulepath "
+                "with elevated privileges\n");
+         xf86ModulePath = argv[i + 1];
+         xf86ModPathFrom = X_CMDLINE;
+         return 2;
+     }
+     if (!strcmp(argv[i], "-logfile")) {
+         CHECK_FOR_REQUIRED_ARGUMENT();
+-        xf86CheckPrivs(argv[i], argv[i + 1]);
+        if (xf86PrivsElevated())
+              FatalError("\nInvalid argument -logfile "
+                "with elevated privileges\n");
+         xf86LogFile = argv[i + 1];
+         xf86LogFileFrom = X_CMDLINE;
+         return 2;
+-- 
+2.18.1
+
--- a/srcpkgs/xorg-server/template
+++ b/srcpkgs/xorg-server/template
@ -1,7 +1,7 @@
 # Template file for 'xorg-server'
 pkgname=xorg-server
 version=1.20.2
-revision=2
+revision=3
 build_style=meson
 configure_args="-Dipv6=true -Dxorg=true -Dxnest=true -Dxephyr=true
 -Dxvfb=true -Dhal=false -Dudev=true -Dxkb_dir=/usr/share/X11/xkb